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In re Patent Application of: 
Joubert Berger at al. 
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TRANSFORMING OPERATING SYSTEM 
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DECLARATION OF JOUBERT BERGER 
SUBMITTED UNDER 37 C.F.R. 1.131 
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FEB '2 3 2004 

Commissioner for Patents TechnologV Center 21 00 

P.O. Box 1450 

Alexandria, V A 22313-1450 

Dear Sir: 



1 . My name is Joubert Berger, I am over 21 years of age, and make this declaration based 
upon my own personal knowledge. All of the statements contained herein are, in all 
things, true and correct. 



2. I am one of the inventors of the invention claimed in the above-identified patent 
application. 

3. Prior to June 12, 2001, 1 conceived the idea of a system and method for transforming 
operating system audit data to a desired format as recited in the pending claims of the 
above-identified patent application. Accordingly, prior to June 12, 2001, 1 disclosed my 
invention to my then employer, Hewlett Packard Company. 
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4. Attached hereto as Exhibit A is a copy of the invention disclosure that I submitted to 
Hewlett-Packard Company prior to June 12, 2001, for the filing of a patent application. 
This invention disclosure establishes my conception of the subject matter of the pending 
claims prior to June 12, 2001. 

5. Hewlett-Packard Company considered the invention disclosure that I submitted and 
approved the filing of a corresponding patent application. The application was filed with 
the USPTO on June 29, 2001 . 

I hereby declare that all statements made herein of my own knowledge are true and 
that all statements made on information and belief are believed to be true; and further that 
these statements were made with the knowledge that willful false statements and the tike so 
made are punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the 
United States code and that such willful false statements may jeopardize the validity of the 
application or any patent issued thereon. 
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Description of Invention; 



A. Description of me constnjction and operafion . 



p^?5-e.vo^ ^v^illV <^(N^&^ A cy^l cKsW^<J ^v-a^cC^, > 




6. Advantages 



over what has been done before. 



0. Problems solved * ' — 
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Title: 
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Trusted Linux Audit Functional Specification 


Author 


Scott Leersscn • 






Product & Version: 


Trusted Linux Aloha I 


Ftinctional Area: 


Trusted Linux 



Status: 


□ Not Complete ' 




13 Draft Ready for Review 




Q Reviewed 




□ Revisions Complete 
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® Copyright, ' 



Hewlett-Packard Co. All rights reserved. 
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This documenc describes the functionality required for an audit mechanism on the 
Tnisied Linux product. 
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Figure 1 



Figure I illustrates the interaction of the components of ihc Trusted Linu-\ audit system. 
The major components consist of: 

• Linux kernel hooks - modifications in the kernel to report aiidit events. 

• Audit device driver - collects audit event data from the kernel and provides an 
interface for user space applications to collect and report "events. 

• Audit application programming interface (API) - provides a user level library for 
reading and writing audit event data to and from the audit device driver 

• Audit collection daemon - user space program that collects raw audit event data and 
writes it to a storage device 
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5.6 Audit Transformation API 



Akhough rhe heart of the Trusted Linux audit system is [he IDDS kernel audit, the audit 
transformation layer is the where the event data comes to life. 



Historically, one of the major inhibitors to the usefulness of audit data has been the 
format in which it is pt^esemed. Usually, the data is either human readable or machine 
parsabte, but rarely both. In some cases, one could argue that audit data falls into neither 
one of these categories. 

This usability issue is where the audit transformation API comes into play. By utilizing a 
user defined template, the API reads binary audit data and formats it into any desired 
representation: comnna separated lists, XML, HTML, plain text, etc This list is limited 
only to a user's imagination. Of course, the binary data could even be streamed in its 
original format to a collection server for later processing or correlation. 

The following sections describe functionality of the audit transformation API library. 
Although examples are given for each function, they should not be considered design 
constraints, but merely a guide for determining necessary entry points. 

5.6.1 Operational Description 

The audit transformation .API (ATA) provides a user level library for access to audit data 
spooled to a device. The API allows a user to define the view in which the audit data 
should be presented (e.g. XML stream, ASCII stream, etc.). 
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